There was a lot of back-and-forth over the weekend amongst the tech geeks of the world about how a hacker could have possibly obtained access to Jennifer Lawrence and Kate Upton’s iPhone’s to leak their nude pictures. The investigation is in the hands of the FBI now, but the most popular theory was that the hackers were able to circumnavigate the usual privacy controls via a technical security flaw in iCloud or Apple’s Find My Phone feature. Next Web has a breakdown of the wonky technical details suspected in such a flaw.

The whole ordeal obviously raises some serious privacy concerns with the public-at-large about the safety of iCloud, which many use to backup their photos from their phone automatically. This afternoon, however, Apple says access to celebs phones via an iCloud security flaw isn’t what happened, according to their own internal investigation. Here’s the statement from Apple, via Next Web:

We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.

What does this mean? In short, J-Law and Kate Upton’s nudes weren’t just sitting out there in public, ripe for the taking by some Internet weirdo who just happened to stumble upon them. Rather, they were deliberately targeting via a social engineering scheme that came from guessing passwords, user names, and security questions, presumably over a long time. Eventually, the hackers guessed correctly and the rest is sleazy Internet history. It confirms that, yes, it was a malicious, targeted attack.